Pftop is a small, curses-based utility for real-time display of
active states and rule statistics for pf, the
packet filter.
for OpenBSD.
Current release pftop-0.7, written and maintained by Can E. Acar.

Changes in version 0.7:
This version adds state filtering, which is funded by
backcountry.com, many thanks. It is now possible to select which
states are displayed using a tcpdump(8) like filtering language. The
filter can be specified on the command line, using the '-f' switch. It
is also possible to change the filter interactively using the 'f'
command key. Some sample, not necessarily practical, filters are given below:

Do not show pfsync or carp traffic:

not (pfsync or carp)
not pfsync and not carp

DNS traffic not going to or coming from the DNS servers:

port 53 and not host (10.0.0.10 or 10.0.0.11)

States with input bytes greater than 1M:

inb > 1000000

Traffic with very small average packet size:

((inb / inp) + (outb / outp))/2 < 100
inb / inp + outb / outp < 200

Changes in version 0.6:
No functional changes. It now compiles and runs on OpenBSD 4.1-current
after pf interface changes. This version also contains separated pf and
display code. This should make adding new views easier.

Changes in version 0.5:
This version displays all active pf rules by traversing the ruleset
tree. In addition HFSC queues are now displayed correctly thanks to
Jared Spiegel. This version also incorporates other patches and
comments I have received since the previous release. Many thanks to
all who have contributed.

New command-line switch 'S' to start the display at a given state.

Display HFCS statistics in the queue page.

Fixed state and rule byte and packet counters

Fixed state sorting by packets and bytes

Fixed some minor display problems

The rule view now traverses all rulesets, and displays all active
rules, together with anchor (ruleset) names.

Anchor and Label fields dynamically resize themselves

Changes in version 0.4:
This version adds caches states between updates, making it
possible to compute per state throughput. The rule and state views are
improved. There is a new ALTQ view by Primož Gabrijelčič

Better, stable state sorting using mergesort.

New command 'p' to pause view updates

Add state cache to store a number of states between updates
(configurable with -c command line switch, defaults to 10000)

Compute and display instantaneous and peak throughput for
cached states.

New sortable state fields 'peak' and 'rate' and a new 'speed' view
for throughput display.

Changes in version 0.3:
This version is developed with invaluable help from Camiel Dobbelaar who
fixed many documentation, style(9) and interface issues and tested most
of the changes and suggested improvements. Many thanks.

Fix performance issues with a large number of states.

Fix a typo that would cause pftop to crash if rules are
added while pftop is running.

Display states like in pfctl on wide displays.

Display interface and extra rule information in Rule views.

Display local time at the upper right corner

New -w option to set display width in raw mode.

Removed redundant -n option.

New key bindings to make the interface more like 'top'.

Left/Right cursor keys switch views.

CTRL-L refreshes display, SPACE updates immediately.

New command 's' to set display update interval

New command 'n' to set number of lines in display

Changes in version 0.2:
There are no big changes in version 0.2. Just minor
additions/corrections to make porting easier.

Fix make install (suggested by Greg Fitzgerald)

Move manual page to section 8, minor corrections to the manpage.

Use getprotobynumber in state display. bonus: protocol column
is now consistently lowercase. (suggested by Camiel Dobbelaar)

Steal more code from pfctl to display state column in text
for large displays. (suggested by Camiel Dobbelaar &
Daniel Hartmeier)

Display age and expiry columns in HH:MM:SS format as in pfctl
(suggested by Daniel Hartmeier)